Skip to content


Nginx 修补bug,平滑升级至0.8.16

A patch to fix VU#180065 vulnerability in 0.1.0-0.8.14.
The patch is not required for versions 0.8.16+, 0.7.62+, 0.6.39+, 0.5.38+.

nginx有一安全漏洞影响0.1.0-0.8.14的版本。
除0.8.16+, 0.7.62+, 0.6.39+, 0.5.38+.

  1. wget http://sysoev.ru/nginx/nginx-0.7.62.tar.gz
  2. tar zxvf nginx-0.7.62.tar.gz
  3. cd nginx-0.7.62

关闭debug模式来减少nginx大小

  1. vi auto/cc/gcc
  2.     # 最后几行sheft+g
  3.     #注释这行
  4.     #CFLAGS=”$CFLAGS -g”

伪装header

  1. vi src/core/nginx.h
  2.    #define NGINX_VERSION      "1.2"
  3.    #define NGINX_VER          "C1GWS/" NGINX_VERSION

编译

  1. ./configure --user=www --group=website --prefix=/opt/nginx --with-http_stub_status_module --with-http_ssl_module
  2. make

#不需做make install哈

备份原始文件

  1. mv /opt/nginx/sbin/nginx /opt/nginx/sbin/nginx.old

复制新文件

  1. cp objs/nginx /opt/nginx/sbin/nginx

检查配置文件

  1. /opt/nginx/sbin/nginx -t

如果你的配置文件是0.6X的话会有2个错误

  1. [warn]: the "optimize_server_names" directive is deprecated, use the "server_name_in_redirect" directive instead in /opt/nginx/conf/nginx.conf:36
  2. [emerg]: "server_name_in_redirect" directive is duplicate in /opt/nginx/conf/nginx.conf:37
  3. configuration file /opt/nginx/conf/nginx.conf test failed
  4.  
  5. [warn]: duplicate MIME type "text/html" in /opt/nginx/conf/nginx.conf:63
  6. the configuration file /opt/nginx/conf/nginx.conf syntax is ok
  7. configuration file /opt/nginx/conf/nginx.conf test is successful

nginx.conf中去掉server_name_in_redirect及text/html

  1. optimize_server_names off;
  2.      server_name_in_redirect off;
  3.     gzip_types       text/plain application/x-javascript text/css application/xml;

重命名pid,并启用新的pid
#”`“在键盘左上角

  1. kill -USR2 `cat /dev/shm/nginx.pid`

退出旧的nginx

  1. kill -QUIT `cat /dev/shm/nginx.pid.oldbin`

升级完成!

curl -I localhost
HTTP/1.1 200 OK
Server: C1GWS/1.2

curl -I localhost

Posted in Nginx, 安全, 技术.

Tagged with , .


No Responses (yet)

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.